I think tools like these are very cool and they have me wondering about the long-term relevance of TLA⁺. Beyond formal specifications as a way of getting your thinking straight, the big value of TLA⁺ is a terse & expressive language for extracting concurrent logic into a deterministic simulator where you can poke at it and state invariants or liveness properties. However, if you’re able to simulate your system deterministically in-situ then that is obviously less work. For software that runs across multiple processes or even nodes you have Antithesis, which is an expensive proprietary product, but I can see simple free single-process deterministic thread schedulers like this proliferating across languages - perhaps as Hypothesis extensions. In the TLA⁺ world we know that random simulation is very effective at finding invariant violations, and often more tractable than a full search of the state space. These schedulers offer that.
If we decide that writing specifications and ensuring that our programs adhere
to them is important, then I think one would hope that our programming
languages get better at doing those things.
I’d like to see programming languages with (optionally) deterministic run-time
systems which can toggled on during testing, that way all the stuff in my post
would be hidden away in the run-time rather than having to be implemented and
dealt with by the user. Once this is in place various verification methods can
more easily follow, model checking being one example.
I believe the P programming language can model
check across multiple process and even nodes. There’s a lot more room for
experimentation in this area though.
I think tools like these are very cool and they have me wondering about the long-term relevance of TLA⁺. Beyond formal specifications as a way of getting your thinking straight, the big value of TLA⁺ is a terse & expressive language for extracting concurrent logic into a deterministic simulator where you can poke at it and state invariants or liveness properties. However, if you’re able to simulate your system deterministically in-situ then that is obviously less work. For software that runs across multiple processes or even nodes you have Antithesis, which is an expensive proprietary product, but I can see simple free single-process deterministic thread schedulers like this proliferating across languages - perhaps as Hypothesis extensions. In the TLA⁺ world we know that random simulation is very effective at finding invariant violations, and often more tractable than a full search of the state space. These schedulers offer that.
If we decide that writing specifications and ensuring that our programs adhere to them is important, then I think one would hope that our programming languages get better at doing those things.
I’d like to see programming languages with (optionally) deterministic run-time systems which can toggled on during testing, that way all the stuff in my post would be hidden away in the run-time rather than having to be implemented and dealt with by the user. Once this is in place various verification methods can more easily follow, model checking being one example.
I believe the P programming language can model check across multiple process and even nodes. There’s a lot more room for experimentation in this area though.